Secrets in AWS S3
Store AWS credentials as secrets for S3 destination nodes.
less than a minute
Store AWS credentials as secrets and reference them in S3 destination nodes.
Basic S3 Destination
Secrets to create:
| Secret Name | Description |
|---|---|
aws-access-key | Your AWS Access Key ID |
aws-secret-key | Your AWS Secret Access Key |
S3 Destination Node:
- name: s3_destination
type: s3_output
region: us-west-2
bucket: my-logs-bucket
aws_key_id: '{{ SECRET aws-access-key }}'
aws_sec_key: '{{ SECRET aws-secret-key }}'
S3 Destination with KMS Encryption
For S3 destinations using AWS KMS encryption, store the KMS key ID as an additional secret.
Secrets to create:
| Secret Name | Description |
|---|---|
aws-access-key | AWS Access Key ID |
aws-secret-key | AWS Secret Access Key |
kms-key-id | KMS Key ID for encryption |
S3 Destination with KMS:
- name: s3_encrypted_destination
type: s3_output
region: us-west-2
bucket: encrypted-logs-bucket
aws_key_id: '{{ SECRET aws-access-key }}'
aws_sec_key: '{{ SECRET aws-secret-key }}'
kms_key_id: '{{ SECRET kms-key-id }}'
server_side_encryption: aws:kms
Alternative: IAM Roles
For agents running in AWS environments (EKS, EC2), consider using IAM Roles for Service Accounts (IRSA) or instance profiles instead of static credentials. This eliminates the need to manage secrets for AWS authentication.
See Also
- S3 Destination Node - Complete S3 destination configuration reference
- Secrets Overview - Secrets management concepts